The Education and Skills Partnership Limited (ESP) GDPR Registration Number: ZA116780
ESP needs to keep certain information about its staff, learners and other users to allow it to monitor performance, achievements and for example matters relating to health and safety.
It is also necessary to process information so that staff can be recruited and paid, courses organised and legal obligations to funding bodies and the Government complied with. To comply with the law, information must be collected and used fairly, stored safely and not disclosed to any other person unlawfully.
The General Data Protection Regulation 2018 governs the use of personal information by businesses and other organisations. If your business requires that you store people’s personal details, such as customer or employee records then you must comply with the General Data Protection Regulation 2018.
Require that personal information is: 1. Processed fairly and lawfully – (Lawfulness, fairness and transparency) 2. Processed for one or more specified and lawful purposes, and not further processed in any way that is incompatible with the original purpose. (Purpose limitation) 3. Adequate, relevant and not excessive. (Data minimisation) 4. Accurate and, where necessary kept up to date. (Accuracy) 5. Kept for no longer than is necessary for the purpose for which it is being used. (Storage limitation) 6. Processed in line with the rights of individuals. 7. Kept secure with appropriate technical and organisational measures taken to protect the information. Integrity and confidentiality (security) 8. Not transferred outside the European Economic Area (the European Union member states plus Norway, Iceland and Liechtenstein) unless there is adequate protection for the personal information being transferred. (Accountability) Status of the Policy This policy does not form part of the formal contract of employment for staff, but it is a condition of employment that employees will abide by the rules and policies made by ESP from time to time.
Any failures to follow the policy can, therefore, result in disciplinary proceedings.
Any member of staff who considers that the policy has not been followed in respect of personal data about themselves should raise the matter within designated reporting lines. If the matter is not resolved, it should be raised as a formal grievance under the Grievance Procedures.
All staff are responsible for ensuring that: • Any personal data which they hold is kept securely (personal data is defined as any information about a living person) • Sensitive personal data includes data on the following subjects:
– Racial or ethnic origin. – Political opinions. – Religious or other beliefs. – Physical or medical health conditions. – Sexual life. – Criminal offences. – Criminal proceedings and convictions. (Collected and held only with the Data Subject’s Express Consent).
Personal information is not disclosed either orally or in writing, accidentally or otherwise to any unauthorised third party. This includes visual images held on the ESP CCTV security system.
Staff should note that unauthorised disclosure would usually be a disciplinary matter and may be considered Gross Misconduct in some cases.
Any breach of this policy needs to be reported directly to the data controller in governance to ICO. If a breach happens to GDPR it will result in fines for ESP, Reputational damage, Due Diligence Risk, Struck off panels e.g. Mortgage Panels, and investigation by FCA. Additional policy will be added based on this new law: General Data Protection Regulation Policy, Data Storage & Cloud Computing Policy, Clean Desk Policy, Email Use Policy, and Software Installation Policy.
Personal information should be:
• Kept in a locked filing cabinet or in a locked drawer. • Encrypted and Password protected (if computerised or electronically held) • Kept solely if Computerised on the server NOT on disks, USB Devices or other forms of external media
Staff guidelines for General Data Protection Regulation
All staff will process data about students on a regular basis when marking registers, writing reports or in an academic supervisory role. ESP will ensure through registration procedures that all students give their consent to this sort of processing and are notified of the categories of processing, as required by the GDPR 2018 Act. Information that staff deals with on a day to day basis will be ‘standard’ and will cover categories such as:
• General personal details such as name and address. • Details about class attendance, course work and associated comments. • Notes of personal supervision including matters about behaviour and discipline.
Each member of staff has a duty to ensure that they comply with the GDPR principles which are set out in the GDPR Policy. In particular, staff must ensure that records are:
• Up to date. • Fair. • Kept and disposed of safely and in accordance with the company’s policy.
Staff must not disclose personal data to any student unless for normal or academic purposes without authorisation or agreement.
Staff shall not disclose personal data to any other staff member except with the authorisation or agreement of the individual concerned or the Head of HR.
All staff should understand their responsibilities for GDPR and security when dealing with personal data on computers or in files away from ESP offices/learning centres or by means of log-ins to the ESP server from home or away from the ESP environment:
• If the computer belongs to ESP then it is not used by other household members. • Only equipment designed to be portable is taken from ESP premises. • If it is their own computer then ESP data is not accessible to anyone else i.e. password protected, and all files are deleted when no longer needed. • Virus protection is in place. • Any print-outs are stored and disposed of carefully utilising services provided by The Document Warehouse. • Suitable transport is provided between home and work so that equipment data and manual files remain secure whilst in transit. Any loss, unauthorised destruction, or disclosure of data will be a potential disciplinary offence.
Computer files brought to work from outside the ESP environment are virus checked before loading onto ESP computer equipment or the ESP server. • No personal files can be taken from the ESP environment without the express permission of the Line Manager/Data Controller. Personal data files must not be left unattended at any time except when locked in a filing cabinet drawer or similar equipment.
Retention of Data
ESP will keep some forms of information for longer periods of time than others. Constraints on storage space determine that information about students cannot be kept indefinitely unless there are specific requests to do so. A general retention period of learner information is 3 years unless stated otherwise.
All client, staff and student’s data need to be uploaded to Sharepoint on the relevant sites and dispose of Paper files securely upon completion of transaction. There is no reason to keep paper, it is a risk.
The data this governs will include: • Name and address. • Academic achievements including any relevant auditable course work and records. • Copies of any references given.
ESP Approved Electronic Storage
• ESP Microsoft OneDrive • Storage facility for electronic client files/documents prior to uploading to IO • Phone scan, web based, backed up, secure, share facility • Sharepoint • Store ALL client files in Sharepoint and delete all other paper and electronic copies upon completion of the transaction. • Do not store any client personal data on your PC/Laptops hard drive, handheld & mobile devices, external storage devices. • Remove all client data from your PC/Laptop, any other external storage devices and non-compliant cloud storage locations
Other information kept on computerised systems will be held for as long as the information is needed and will be disposed of as soon as it is no longer relevant. ESP will need to keep information about staff -in general all information will be kept for seven years after a member of staff leaves ESP. However, some information will be kept for much longer; this will include information necessary in respect of pensions, taxation, potential or current disputes or litigation regarding the employment and information required for job references.
The law requires ESP to ensure data is kept up to date and accurate by
• Minimising storage locations. Client data to be held in Sharepoint & Microsoft OneDrive only as per the Data Storage Rules • Update data at every opportunity & correct inaccuracy • Provide clients access to update their details • All marketing data to be compliant. Advisers to complete marketing consent section within the fact find and ensure it is recorded that clients have ‘opted in’ to receive marketing communications from ESP
For each staff member they will need:
• Lock screens when unattended, do not share personal data informally • Electronic Client Communications • Use PFP Secure Messaging • Encrypt Emails • Do not transfer data outside of the EU • Only access data via secure Wi-Fi networks
In addition to the changes in practices for Data Storage, use and accurate recording please ensure the following:
• All PC & Laptop hard drives are encrypted, (New Windows 10 and Macs have built in – turn on!) • Delete old emails with un-encrypted personal data • Set strong passwords – see ESP Password Policy for examples • Do not use Personal Storage Devices (USB sticks, external hard drives) • Cloud Based Applications – Where personal data is entered only use those identified within the ESP Cloud Computing Policy • Email & Internet Use – Common sense approach • Wi-Fi – new networks in TFA offices for guests
Paper Based • Store securely where un-authorised people cannot see it • Under lock and key when not in use • Remove all documents with personal data immediately from communal areas such as printers • Dispose of securely • Upload all client files to Sharepoint Relevant Sites and dispose of paper files securely upon completion of transaction. There is no reason to keep paper, it is a RISK
Compliance with the GDPR Act 2018 (25 May 2018) is the responsibility of the ESP. Any deliberate breach of the GDPR may lead to disciplinary action being taken or access to the ESP facilities being withdrawn and even a criminal prosecution.